-
Notifications
You must be signed in to change notification settings - Fork 148
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support passphrase protected client certificate keys when using mTLS #4515
Comments
Pinging @elastic/elastic-agent (Team:Elastic-Agent) |
Pinging @elastic/elastic-agent-control-plane (Team:Elastic-Agent-Control-Plane) |
@cmacknz @pierrehilbert @nimarezainia @jlind23 help me to clarify this issue:
This is already implemented, the agent accepts What I see missing is the client certificate key to accept a passphrase. Thus I believe what is missing on the agent side is to accept Another thing I'd like to ask. Those configs come from the CLI as well as the policy, therefore there is also the precedence issue. I checked there are unit test on the policy change handler for
Regarding Elastic Defend, shouldn't it be its own issue. Those are completely separated things, which will require different tests and more importantly can be delivered on their own. So, in summary I believe there is at least 3 issues here:
|
Correct, the issue description is wrong and/or out of date.
👍 Ideally we'd have a test that uses key passphrases for both the client and server side keys.
elastic-agent/internal/pkg/agent/application/fleet_server_bootstrap.go Lines 119 to 136 in 781f529
Defend needs to be able to talk directly to Fleet Server, so we already inject all the fleet parameters necessary for this into their configuration. Since Defend doesn't support private key passphrases, rather than pass them the passphrase and encrypted key and require them to implement support, we can just pass them the decoded private key so they are in the same situation as regular mTLS where they are passed just the key. You don't need to change the control protocol at all. Looking at the endpoint source code they support reading the certificate and key as long as they are in the Ideally our automated test for encrypted key files would run with Defend installed, but if that isn't possible for some reason we can get away with a test ensuring we inject the key in the expected format and a manual test. |
Updated the description with the right command line options. |
I created the tickets:
I believe it covers all that is here. Please have a look and see if you agree with them, particularly the out of scope tests. |
closed as it's the following issues were created as a result of investigating what was required by this issue |
We are adding support for mTLS between Elastic Agent and Fleet Server (or the proxy in front of Fleet Server). This requires specifying the client side private key. Currently this key must be specified on the command line which makes it easy to see. Fleet server currently supports reading the private key from a passphrase protected file. We should do the same for Elastic Agent mTLS. Support for reading these files was added in elastic/elastic-agent-libs#109.
In the in progress mTLS implementation we do not expose command line options for reading the certificate key from a file. We need to support the
--elastic-agent-cert-key-passphrase
to support this.Endpoint security today does not support reading keys from passphrase protected files either. Rather than make endpoint-security implement this functionality, the agent should pass the decoded private key over the control protocol (which is itself protected by mTLS on local host or local sockets/pipes). This centralizes the implementation and provides the key handling as a platform feature.
Acceptance Critera
The text was updated successfully, but these errors were encountered: